Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Death Metal notes a Wired piece on the US government beginning the process of securing the root zone file. This is in service of implementing DNSSEC, without which the DNS security hole found by Dan Kaminsky can't be definitively closed. On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root — ICANN, Verisign, or the US government's NTIA.

DNSSEC already has provisions to use a multi-signature key, where many organizations each sign it, and these parts are used to make one global key, so that no one person or organization is owner of the root zone file. It doesn't have to go like that.

It has to be one signature, however, for a practical reason: The top level domain zones change every hour. You're not going to get a dozen organizations to sign off on each of those changes every hour, in any practical or meaningful way.

The dumbest statement in the article is: "The only known complete fix is DNSSEC".

There is still the tradeoff between signed DNS information and who you trust to do the signing. I agree that they can get the root servers signed ok - its a small list and doesn't often change. What happens when they get to the millions of second level domains? Do they really think they can guarantee authentic signed DNS records for every.com domain out there? Good luck with that. They are going to have automated systems

The same UN that is comprised of countries that support censorship of political speech? No, thanks. Either give it to an organization of free democracies or hold onto it until such an organization exists.

I'm not flaming, but seriously - look at the UN's track record where they do things like elect Libya to head the Commission on Human Rights. I can already see China chairing the internet commission.

The question is who to give it to. The United States are just as ineligible, seeing as they don't care about separating government and big business or keeping the government's powers in check. And I'm not in favor of giving a nation control over an international resource simply because it was deployed there first. That'd be like ultimately deferring to France in all aviation matters because of the Montgolfier brothers.

Really, who should get the root zone file? Nobody is eligible so we either give it to no

The United States are just as ineligible, seeing as they don't care about separating government and big business or keeping the government's powers in check.

I'm still going to rank political speech higher than commercial speech... that's where people really get oppressed. I agree that copyright is a form of censorship, and I would like to see it reformed drastically - but it's not the same as throwing people in jail because they are critical of the people in power.

The UN seem like the safer choice because of more oversight.

Two problems. One, the UN would only be effective if the number of countries opposing censorship was larger than the number that rather like it... unfortunately I think that the censors are in the maj

I'm still going to rank political speech higher than commercial speech... that's where people really get oppressed. I agree that copyright is a form of censorship, and I would like to see it reformed drastically - but it's not the same as throwing people in jail because they are critical of the people in power.

Yes, some of the UN member states are't too keen on free speech, but then again the United States government isn't, either. Granted, you're not quite on the same level as the worst ones but things li

Of the issues you mentioned, only "free speech zones" has anything at all to do with free speech - and that is actually freedom to assemble, since the government does not sort them based on content of speech.

The fact is that the US is more free than almost any other nation when it comes to speech. The only thing we restrict is what is covered by copyright - which sucks but is pretty much on-par with most other nations. DMCA would be our most egregious infringement of free speech IMHO.

You do realise the only 2 countries not in the UN are Vatican City and Taiwan?

Are you suggesting that every other country in the world supports censorship of political speech?

Wouldn't it be a better idea to actually get a clue about an organisation for slagging it off? The UN has wide and varied roles, some it's great at, others not so. How can you be so sure the internet would be in the not so category?

Even the worst member countries have a hard time being "for hunger" or "for disease", so the UN does a really good job helping hungry and diseased people. They suck at enforcing human rights and things like that, where the member countries don't want to get acted against themselves.

Censorship, well, most of the UN members have more restrictions on freedom of speech than the US does. Why in the world would I, as a US citizen, entrust that organization to regulate the internet? I might entrust countries from

The UN is an entity that consists of just about every single country in the world. Of course that means what your perceive as bad countries are going to be involved but you do realise that they have an equal right to see the US as a bad country?

By having every single country have a say you end up with a view that is balanced upon world opinion, not just US opinion as it is now. US opinion most certainly does not represent the rest of the world and as such cannot be used as the

I, personally, do not give a shit what the rest of the world's governments think about how the internet is run. In general, the governments of the world are corrupt and authoritarian. I like the internet open, free, and unfiltered/uncensored. Handing it over to the UN is not a likely way to retain those goals.

If the democratic countries of the world want to get together and decide what to do with the internet, I'd be willing to consider that - because I'd

Countries like the USA, you mean? Seriously, did you ever try to protest at an RNC, for instance? I did, and I can tell you that it sure makes you wonder exactly which nation you're in, anyway.

Right, and those of us from Minnesota know ALL ABOUT your protests at the RNC. Let's see, at this year's RNC in Minneapolis we had mass rioting, bricks thrown through windows of business and destruction of property, an attempted bus-jacking, fires, attacking of delegates from multiple states, throwing feces and urine on delegates, attacking police officers and a vast number of other crimes.

In the pre-RNC raid by the Ramsey County Sherriff's department of the "RNC Welcoming Committee" apartments, police found molotov cocktails, nail bombs, gasoline tanks and other explosives, buckets of urine and all variety of other ordnance. Despite these raids, numerous people were still injured by these people during the riots. Even the liberal mayor of St. Paul applauded the actions of law enforcement and the excellent job they did it keeping the carnage from getting worse.

So, the only thing that makes me wonder what country I'm in is that fact that depraved idiots like you are running around lose. People like you are lower than low, defending these tactics and smearing the law enforcement officers. These were not "peace protesters". These were terrorists and anarchists by anyone's definition, and no quarter should be given to them. And frankly, no quarter will be given to you either. You, luckily for you, are given the right of free speech by the rest of us true American citizens, but I will not stand by and let you spew your garbage and hate without reminding others what really happened in Minneapolis at the RNC. People like you are truly evil and immensely twisted and warped if you can defend any of the violent activities the went on during the "protests" (read: riots). And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.

As another citizen of Minnesota, the parent speaks the truth.
I'm all for free speech, but what these "protesters" were doing was attempting to disrupt the political process and infringing on OTHERS' right to free speech.

I third this (Eagan) and I completely avoided St. Paul when they started throwing crap onto buses and cars from overpasses. My Cousin went in on the last day and peacefully protested there was no trouble for people who were organized in peaceful exercise of their first amendment rights, it was the morons attacking cops and delegates that got arrested.

People like you are truly evil and immensely twisted and warped if you can defend any of the violent activities the went on during the "protests" (read: riots). And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.

Not moderating myself here, because I feel that something needs to be said about this. How does this shit get modded Informative? The world is a complicated place, you know. It is entirely possible that both violent protesters and overzealous police exist. Both you and the OP make vast oversimplifications.

Are you not aware that protest is a protected form of speech that is essential to democracy?

Imagine a world where rioters and peaceful protesters are separate. Nobody is denying that there were rioters at the RNC. Rioters should be arrested. However, peaceful protesters were caught in the crossfire and arrested. If you think that these people should be exiled because they disagree with you, then you are no true American.

So, the only thing that makes me wonder what country I'm in is that fact that depraved idiots like you are running around lose. People like you are lower than low, defending these tactics and smearing the law enforcement officers...And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.

Heil Crazy Taco and his ability to judge who is a true American and who is not.

So, the only thing that makes me wonder what country I'm in is that fact that depraved idiots like you are running around lose. People like you [...]

I believe that's exactly his point. The USA is supposed to stand for the freedoms of all people, no matter how you feel about them.

Standing all high and mighty and believing that you somehow have more of a right to your opinion and behaviour than they do, and more importantly, dividing people into "people like me" and "people like you" is bigotry and shouldn't

Maybe you shouldn't betray your political leanings by singling out the RNC. There are "free speech zones" at the DNC too. It seems to be more dependent on the attitude of the hosting city. At least we don't imprison grandmothers and sentence them to hard labor just for asking to protest.

While I agree that the government (mostly local governments) overreacted to the antics of some douchebags, the fact remains that the US is one of the most liberal - if not the most liberal - nations on the planet when it comes to freedom of speech. Restrictions on speech correlate very well with authoritarian rule.

Yeah, in the US, you can pretty much say what you want, as long as you do it in a place where no one can hear you.

The reason that restrictions on speech correlate very well with authoritarian rule is because authoritarians don't want dissenters to be heard. It weakens their rule over the people, and threatens their power.

Free Speech Zones are public places where people are allowed to exercise their first amendment rights[1]--that is, the right to free speech. These zones tend to be away from the attendees

Protests are only one form of free speech, and it happens that they involve major disruption. It's like a parade or a festival... even when everyone is very peaceful, you have requirements for food, water, and human waste. Frankly, it's not particularly fair to crash someone else's parade after they've paid for everything and then complain about your rights being squashed. You want to have a parade? Go for it - but pay for all the mess you'll make.

And you know what? These WTO/RNC/etc protests are NOT non-violent, they are NOT low-impact, and they cause a major disruption - by DESIGN. You have a right to free speech. Have a parade, publish a newspaper, etc. You do NOT have a right to be a douche.

It tells me that your message isn't worth hearing, because you have resorted to abandoning any sort of civilized debate and just crying like a 2-year-old.

(Note I don't mean you in particular, just the style of writing that I used.)

Excuse me, but the reason that most people resort to such intrusive methods is that the government neuters their otherwise peaceful message by plugging their ears through free-speech zones.

No, it isn't. Their message is fringe and not even close to being popular. They are ignored, and so make noise. The wide use of "free speech zones" came after the douchbaggery, not before - though I happen to agree that they are overkill. Just make the protesters file for a permit, pay for the extra police, get sufficient porta-potties installed, etc... no need for specific zones.

Remove all violent protests, and soon the peaceful ones will be dead, in jail, or brainwashed.

That's just absurd. Violent protests have no place in a civil society. That is the whole point of free speech and the justice sys

The wide use of "free speech zones" came after the douchbaggery, not before - though I happen to agree that they are overkill. Just make the protesters file for a permit, pay for the extra police, get sufficient porta-potties installed, etc... no need for specific zones.

Those zones shouldn't be necessary, and the permit filing was done long before they existed by many protesters in many situations, but the governments of many western countries, the USA and Canada included have a history of provoking these p

You only believe the protesters are fringe lunatics because of how they're portrayed on the news after the weirdness has erupted. Try finding a nice video of a blogger with a hidden camera at one of these protests from start to finish and you'll see what really goes on.

Nooooo... I live in NYC and have the pleasure to stroll through these protests every so often. Usually these people are what I would term professional or at least hobbyist protesters. They are largely from out of town. They tend to represent every insane cause you ever didn't want to know about. All the usuals are there, too. The free Tibet crowd, the "I don't eat this or that" crowd, the "free this wronged convict" crowd, anarchists, communists... maybe you don't consider these people fringe - but they ver

And so long as you believe that, the three-letter agencies running your semi-secret prisons will continue trampling the rights of your fellow citizens, denying them due process and denying you your privacy.

And why should the UN be trusted with this? As another poster pointed out they are comprised of many nations that censor speech, expression, assembly and thought. On top of that they have been shown to be as (if not more) corrupt (Oil for Food in Iraq), Inept (Sierra Leone), and Impotent (Rwanda)...

Yet someone else who doesn't seem to understand what the UN actually is. I can only imagine you're making the mistake of confusing the UN security council with the UN as a whole.

The UN as an organisation consists of all but two countries in the world so yes, of course they're comprised of many nations that censor speech. They also consist of many nations that don't. The whole point in the UN is that it's an organisation that exists to oversee international systems, politics and disputes in such a way that a

The UN? Are you out of your mind? That is the most corrupt incompetent bunch of unelected bureaucrats that have ever existed.

What you want to do.. is you want to make sure the person who holds the key, does not have the power of force behind them.. that means you have to keep it out of the hands of government. ICANN is probably the best choice..

Puts a private company in control of a very, very important part of the internet

Has previously fucked with DNS, would likely do so again if considered a wise business decision

US Government

Pros:

Wouldn't dare let it go down since business in their country is very dependent upon it

Puts elected officials in charge of a very important part of the internet

Cons:

Nationalizes an important part of an international network

Puts elected officials in charge of a very important part of the internet

ICANN

Pros:

Has been doing this a long time

Is a non-profit company so isn't driven by the same business needs as, say, Verisign

Cons:

Still somewhat national

I'm definitely of the opinion that ICANN should be running it. That said, I don't know everything about the matter, so perhaps there's something that would change my mind. I figure, though, that if it's not broken, don't fix it.

It does not really have to be the UN, it can be a non-profit organisation (legally) under UN. This would mean, of course, that those running it would get a huge power... but they could not (would not necessarily) be persuaded to change policy by any government or lobbyists.

That would get rid of the bureaucracy and tyranny of majority, but could lead to tyranny of minority.

How that would work out in practice would be interesting experiment, to say the least. Whether trying is worth the risk... well, let's

US GovernmentPros:Puts elected officials in charge of a very important part of the internet

I would put that on the con side. I rather have a person who knows what he is doing in charge and not so much somebody who is popular and knows how to play the electoral game.Also they are elected by a minority of the users.

Here's the ten kilofoot view: each participant p_{1..n} gets a piece of the key. If least t of them (for some 2 <= t <= n) cooperate, they can produce a signature on the input message.

It is widely held that separation of power into legislative, executive and judiciary is a good thing. Here, the roles would be symmetric, but you still get the benefit of no one body of people (or single person) being in control.

Here's an interesting thought: include some of the root server operators in the decision. I haven't done the formal proof, but my understanding is that it'd be simple to create weighted threshold schemes, such that if ten of the $n roots all agree, that counts as one "vote" in the usgov-icann-verisign calculation [just apply some general secure Multiparty Computation protocol to the computation of RSA-signing with Shamir secret shares of the private key]. And, as your child poster says, you may want to include the UN. Not being a citizen of 192 sovereign nations, I don't like the idea of any one nation having a disproportionately large influence over critical infrastructure, should we come to rely on a signed root zone [note: we don't now, because it isn't; that may be useful to put this issue into its proper perspective, or not...].

But no matter who the eligible parties are, I don't think any one of them should be in exclusive control. Use a threshold signing scheme to distribute the power.

The problem with this statement "I don't think any one of them should be in exclusive control" is that this network was initially created for the sole purpose of protecting the swift transfer of data should a nuclear attack hit the US of A. It's gotten beyond that in a major way, but it started in the US, so I can understand why the US would want the keys.

Though at this point, I don't think any solution that gives any one person the literal key to the internet is a good one, so, on that point, I agree - f

In reality, it wouldn't affect too much of the normal use of the internet. Basically, whoever has control of this has control of creation and modification of top-level domains, like.com,.net, and.org, to a certain degree, in that they could enable or disable them, but not modify them directly (unless they disabled them and created their own modified version).

In theory, they could bring down the internet with such access though, so it is something worth serious consideration.

If the root is handled well, not at all. All that happens at the root zone is the creation and deletion of TLDs. Anything sub-TLD is handled by the entity(ies) responsible for their respective TLDs (such as Verisign, DK-Hostmaster or what have you).

If Verisign is the steward of both the root (in whole or in part) and the.com zone, they may be able to play tricks on us, but I'm not sure what those tricks are. Also, bear in mind that what we're (most likely) talking about isn't that you won't get a name,

The problem is that this scheme might work now, but it is not very future proof. How would you avoid the issue of Participant A borging participants B through T, thereby owning enough pieces of the key to do whatever they want, no matter what Participants U through Z have to say?

This might happen with private organizations (companies get bought) or with states (Russia takes over Georgia's piece of the key, just going on what's in the news).

General Multiparty Computation protocols can be secured against strictly less than one third of the players being corrupted; corrupted here means that it deviates from the protocol, for instance by telling its secret to some other player because it in practice is under the control of the other player.

The simple version of how to handle it is that whenever someone deviates from the protocol, the honest parties reassemble the secret key and compute a new secret sharing; that is, everyone gets a fresh chunk of

I can't wait if they get it... Within a couple of years we will all have to start paying for DNS queries. Of course- they will offer to allow your query for free if they can insert ads into every site you go to.

The problem is that that theoretical hosts file is already split among different entities; for example, Verisign controls the.com and.net registries, not ICANN. So, if you wanted to do that, you'd have to convince all of them to give up their control.

Latest I can find for UN payments is 2005 figures [unausa.org]; I wouldn't call the difference between $423M (USA) and $375M (Japan) all that huge a degree. And is the USA actually paying its dues now? In 2005 it owed almost a billion in unpaid dues.

When the OP talks about "funding the UN", he's not referring to dues. He's talking about actually paying for the activities of the UN, such as troops on the ground in hotspots, which many other countries are unwilling to do.

Of course, there's still a fuzzy line there - sometimes it can be argued that the US is just using the UN as a cover for their own activities (e.g., trying to get the UN to authorise an invasion of Iraq, then the entire Iraqi war would be considered a UN mandate, and thus count toward "

I have not fully digested your draft, but I believe you are right. There are many proposed solutions that shore up DNS somewhat, as long as our random number generators are strong. That has traditionally proved difficult, and the random number generators have been the primary attack point time and time again. I also think that creating the solution by only looking at recent DNS attacks is short sighted. DNS has the possibility of becoming so much more then it currently is, if we can trust it.

DNSSEC enables using DNS as the method of protection from MITM for other applications.

With DNSSEC you can distribute your SSH fingerprint in a signed DNS record. That would enable your application (SSH) to have a secure connection that can even withstand a MITM attack as long as you can verify the DNS signing keys, irregardless of whether or not you've ever connected to that server before.

HTTP sucks too, but we use it because we all use it. Whatever we want to build gets a http implementation simply because everyone else uses it and understands it, and interoperability is king. In fact, a web service like http/SSL implementation is the only other real contender for a large scale PKI that has a snowball's chance in hell of being adopted. If DNSSEC fizzles out, I'll try that way.

DNSSEC is the best shot we have at world scale PKI because it's an incremental add-on to something we already have

But in the end, who really cares who signs it now - what can be signed once, must be able to be signed again (especially if there is a validity period of the signature), and if the signatory needs to change in the future then it can be changed then.
Delaying the signing process is counter-productive, as procrastination in this regard only helps the hackers and not the greater unwashed masses who don't know they need this process to be completed in the first place...
Maybe they should ask for comments _after_ they have told us the first signatories name. They will get comments then regardless of who they choose;)

How about the operators of each Root server signs their own copy of the root? That way if one entity implements policies that you don't agree with you simply remove them from your hints file. There's a reason there's multiple root servers and putting the signing authority in the hands of one entity inherently makes the system less diverse and fault tolerant.

this isn't like the web where it helps (but is still far from ideal) to have a few central authorities who sign certificates for many entities? This sounds like it would be more of a central thing. Why not just self-sign and publish the key fingerprints in papers, journals and whatever?

Holding the root zone key is by definition part of the function of the IANA (one of Jon Postel's many jobs back in the day.) The IANA is the organization that manages the root zone. It has always been that way.

Since ICANN (or rather one internal division of ICANN) is currently the IANA, they would control the keys.

If a new IANA is appointed (and approved by the Internet Architeture board (who must approve any IANA appointment, since the maintains the registry of Names and Numbers assigned in the RFCs on beh

"On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root -- ICANN, Verisign, or the US government's NTIA."

ICANN: Organisation situated in the US, can be heavily influenced and controlled the US governmentVerisign: Private company that is only interested in profit and is situated mostly in the US thereby it can be heavily influenced and controlled the US governmentNTIA: US government

DNSSEC is a protocol similar to, but not compatible with DNS. It is difficult to deploy and requires much more powerful hardware than current DNS servers otherwise require. DNSSEC offers no security guarantee unless DNS is completely replaced with DNSSEC.

dnscurve [dnscurve.org], on the other hand, is fully backwards compatible with DNS, would be dead-simple to deploy, requires a fraction of the computing power than DNSSEC requires, and it can be deployed incrementally.

Except that DNSSEC is DNS. Period. It isn't compatible with DNS, it is DNS. It simply adds some additional records that aren't normally present that a DNS server or resolver can, if configured to, use to verify that the responses come from a valid server. It's not difficult to deploy, all current DNS servers already implement it so it's already deployed. What's difficult is the process of generating the signature chains, since the validity of the signatures at any level depends on the signature chain back t

"Are doomed to reimplement it, poorly. Does anyone have any confidence that the US Government WONT mess this up completely? Give the key to Google or AOL or IBM or something."

Those who don't understand DNS would recommend giving it to IBM.

Hi. I run the root server that was the first runner up in the contest to administer it, ahead of two other groups. We were actually asked by the gov to advise icann which we did until we realized all they were doing is using us to get away with what they wanted to do, instead of listening to advice on horrific problems. Hint: the mandate specifies icann is a membership organization and 10 years later you still can join and have a vote. Ahem.

During this time and for 5 years before that I run the a root to one of the alternative root zones.

If you think dnssec will fix the problem or that it's the right answer or that it will actually secure it then you and Dan Kaminsky haven't thought about it enough.

But if you wanna go ahead with the broken dnssec model the keys should be held by Paul Vixie. This is all his mess anyway and he already holds the keys to usenet.

One key for Google flying oh so high,One for Apple for without it fans would moan,One for IBM what are based in Armonk, NY,One for the Dark Lord on his dark throneIn the Land of Redmond where the Shadows lie.One Key to rule them all, One Key to find them,One Key to bring them all and in the darkness bind themIn the Land of Redmond where the Shadows lie.